Out-Law Analysis | 15 Jul 2014 | 9:01 am | 3 min. read
The government has proposed a new data retention law to replace one that was based on an EU directive that EU's top court the Court of Justice of the European Union (CJEU) struck down in April.
Data retention laws relate to traffic data about mobile and internet communications such as the source of a communication, its destination, date, time, duration and type. They do not relate to the content of communications, which is protected by other laws.
The EU's Data Retention Directive required telecoms companies to keep the data for a period between six months and two years so that it was available to law enforcement agencies. The UK used regulations, a form of 'secondary legislation', to implement the Directive in 2009.
The CJEU said that the directive on which the UK's laws were based violated EU citizens' rights to privacy as protected by human rights laws. It said that data retention processes could be lawful, but only if the length of time that data was kept for was determined by 'objective criteria'; the data being collected was limited and was not just all data in all circumstances, and if the collection had a specific purpose.
While the proposed Data Retention and Investigatory Powers Bill (9-page / 153KB PDF) seeks to improve the safeguards in place in relation to these and other issues, the improvements do not appear to meet all the CJEU judgment's requirements.
The UK's regulations had been challenged by a judicial review and the new laws may well be challenged too, meaning that they will have to survive the same scrutiny that the Directive was placed under by the CJEU.
In relation to the timeframe of retention, under the Bill the secretary of state can issue a ‘retention notice’ that requires a telco to retain communications data for a maximum period of 12 months. The secretary of state can specify the period for which data is to be retained and “make different provision for different purposes.”
This attempts to address the CJEU judgment's requirements, but the problem is that it is discretionary and the secretary of state does not have to explain why a particular retention period has been ordered. The bill could therefore be challenged on the basis that, like the Data Retention Directive and the previous UK laws deriving from it, the Bill does not set out ‘objective criteria’ governing how long data should be kept for.
The Bill is not more likely than previous legislation to meet the CJEU's view that the scope of data held should be restricted. It says that a retention notice may "require the retention of all data or any description of data". The bill would have been less open to challenge had it included examples of the types of data which would not need to be retained.
The CJEU cited data connected to communications protected by professional secrecy such as between lawyer and client or doctor and patient as an example of data that could be excluded.
The Bill at least is specific about the purposes for which data is to be disclosed, unlike the previous law. It says that telecommunications operators may only disclose retained data in accordance with the exercise of certain powers by law enforcement agencies under the Regulation of Investigatory Powers Act (RIPA), by court order, other judicial authorisation or warrant or by regulations made under the Bill by the secretary of state.
Yet this falls quite a long way short of the CJEU’s example of a compliant data retention law – one which sets out ‘precisely defined serious offences'. RIPA, for example, allows for the retention and access to data “for the purpose of preventing or detecting [any] crime or of preventing [any] disorder.” In allowing data to be retained in such broad circumstances, the new Bill may fail in the same was as the previous law. The broadness of purpose for which the new law may be used is in stark contrast to the limited categories of crime that the CJEU repeatedly referred to in its ruling – "serious crime", "organised crime" and "terrorism".
The CJEU said that data retention laws should provide the “minimum safeguards" required “so that the persons whose data have been retained have sufficient guarantees to effectively protect their personal data against the risk of abuse and against unlawful access and use of that data”.